Bump dependencies

[jmthomas]

No description provided.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​numpy@​2.5.0
	npm/​@​types/​node@​25.9.4
	npm/​react@​19.2.6 ⏵ 19.2.7
	pypi/​pytest@​9.0.3 ⏵ 9.1.1	+1
	npm/​vue-eslint-parser@​10.4.0 ⏵ 10.4.1
	npm/​eslint-plugin-vue@​10.9.1 ⏵ 10.9.2	+1		+1
	npm/​react-dom@​19.2.6 ⏵ 19.2.7
	pypi/​coverage@​7.14.1 ⏵ 7.14.3	+1
	npm/​eslint@​10.4.0 ⏵ 10.6.0	+1
	pypi/​boto3@​1.43.16 ⏵ 1.43.36
	pypi/​cbor2@​6.1.1 ⏵ 6.1.2
	pypi/​fakeredis@​2.35.1 ⏵ 2.36.2	+1
	pypi/​ruff@​0.15.15 ⏵ 0.15.20

View full report

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.32%. Comparing base (9074948) to head (d303e96).
⚠️ Report is 20 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3479   +/-   ##
=======================================
  Coverage   79.32%   79.32%           
=======================================
  Files         690      690           
  Lines       57346    57354    +8     
  Branches      728      728           
=======================================
+ Hits        45487    45494    +7     
- Misses      11781    11782    +1     
  Partials       78       78           

Flag	Coverage Δ
python	80.37% <ø> (-0.03%)	⬇️
ruby-api	81.42% <ø> (+0.13%)	⬆️
ruby-backend	83.14% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[aikido-pr-checks]

Possible command injection via exec()-type functions - critical severity
Ruby has many ways to do system calls, including syscall, system, exec, but also %x() and the use of backticks. Backticks (``) in Ruby are very dangerous and counter-intuitive. These are not single quotes ('). Ruby automatically attempts to execute the contents of the backticks as a shell command and the output will be returned.

Show fix

Remediation: If possible, avoid using these functions altogether. If not, use a list of allowed inputs that can feed into these functions.

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[aikido-pr-checks]

Path traversal attack possible - high severity
A malicious actor could control the location of this file, which may allow them to retrieve, write or delete files outside of the intended folder.

Show fix

Remediation: To address this, ensure that user-controlled variables in file paths are sanitized at least to not contain '..' or forward slashes.

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[aikido-pr-checks]

Path traversal attack possible - medium severity
A malicious actor could control the location of this file, which may allow them to retrieve, write or delete files outside of the intended folder.

Show fix

Remediation: To address this, ensure that user-controlled variables in file paths are sanitized at least to not contain '..' or forward slashes.

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[ryanmelt]

New anycable released 30 minutes ago

[ryan-pratt]

New anycable released 30 minutes ago

Don't we wait 1d anyway

e2a: I guess really only npm, but we should consider that policy for all dep chains

[jmthomas]

New anycable released 30 minutes ago

Don't we wait 1d anyway

e2a: I guess really only npm, but we should consider that policy for all dep chains

I specifically made the change that we're incorporating so yes I want this update. Should make our scans green.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: pypi numpy is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: openc3-cosmos-init/plugins/packages/openc3-cosmos-demo/requirements.txt → pypi/numpy@2.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/numpy@2.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[ryanmelt]

Looks like traefik and pnpm still need a bump.

[sonarqubecloud]

Quality Gate failed

Failed conditions
8.0% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud